> > I'd like to know if a user is 'authorized' to login to a service once they > have a session (JSessionID), or are they only authorized after the TGT > cookie has been set? >
We modified the login flow a while back to check the service against the ServiceRegistry in the first few steps of the flow, long before authentication and/or ST creation. It's pretty much first thing nowadays. You can dig through the CAS Jira for the issue to see if your version includes the fix. (Pretty sure it was fixed when we were still on Jira.) M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user